COMMAND

	FreeBSD Remote denial-of-service when using accept filters

SYSTEMS AFFECTED

	 FreeBSD 4.5-RELEASE

	 FreeBSD 4-STABLE after 2001-11-22 and prior to the correction date

	

PROBLEM

	As related in FreeBSD Security  Advisory  FreeBSD-SA-02:26.accept,  Mike
	Silbersack  <silby@FreeBSD.org>  found  a  bug  in   accept_filter(9)
	mechanism, which allows  an  application  to  request  that  the  kernel
	pre-process incoming connections. For example, the  accf_http(9)  accept
	filter prevents accept(2) from returning until a full HTTP  request  has
	been buffered.
	

	No accept filters are enabled by default. A  system  administrator  must
	either compile the  FreeBSD  kernel  with  a  particular  accept  filter
	option (such as ACCEPT_FILTER_HTTP) or load the filter using  kldload(8)
	in order to utilize accept filters.
	

	

	 Problem Description

	 ===================

	

	In the process of adding a syncache to  FreeBSD,  mechanisms  to  remove
	entries from the incomplete listen queue were removed, as  only  sockets
	undergoing accept filtering now use the incomplete queue.
	

	

	 Impact

	 ======

	

	By simply connecting to a socket using accept filtering  and  holding  a
	few hundred sockets open (~190 with the default backlog value), one  may
	deny access to a service. In addition to malicious  users,  this  affect
	has also been reported to be caused by worms  such  as  Code  Red  which
	generate URLs that do not meet the http accept filter\'s criteria.
	

	Systems are not affected by this bug unless  they  have  enabled  accept
	filters in the kernel and are utilizing  an  application  configured  to
	take advantage of this feature. Apache (versions 1.3.14  and  later)  is
	the only application known to utilize accept filters by default.
	

	

SOLUTION

	 Workaround

	 ==========

	

	Do not use accept filters. If you have  enabled  the  ACCEPT_FILTER_DATA
	or ACCEPT_FILTER_HTTP options in your kernel, remove these  options  and
	recompile        your        kernel        as        described        in
	<URL:http://www.freebsd.org/handbook/kernelconfig.html>  and   reboot
	the system. If you have loaded one  of  the  kernel  accept  filters  by
	using kldload(8), then you must modify your startup scripts not to  load
	these modules and  reboot  your  system.  You  may  list  loaded  kernel
	modules by using kldstat(8). If loaded, the HTTP accept filter  will  be
	listed as `accf_http.ko\', and the Data accept filter will be listed  as
	`accf_data.ko\'.
	

	For affected versions of Apache, accept filters may be  disabled  either
	by adding the directive ``AcceptFilter  off\'\'  to  your  configuration
	file, or via a compile-time option, depending upon the  version.  Please
	see the Apache documentation for details.
	

	

	 Solution

	 ========

	

	1) Upgrade your vulnerable system to 4.5-STABLE; or  to  the  RELENG_4_5
	(4.5-RELEASE-p6) security branch dated after the  respective  correction
	dates.
	

	2) To patch your present system:
	

	The following patch has been verified to apply  to  FreeBSD  4.5-RELEASE
	and 4.5-STABLE systems.
	

	a) Download the relevant patch from the location below, and  verify  the
	detached PGP signature using your PGP utility.
	

	

	# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:26/accept.patch

	# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:26/accept.patch.asc

	

	

	b) Execute the following commands as root:
	

	

	# cd /usr/src

	# patch < /path/to/patch

	

	

	c)      Recompile      your      kernel      as       described       in
	<URL:http://www.freebsd.org/handbook/kernelconfig.html>  and   reboot
	the system.